Do not pull referenced images during build #2579
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
carolynvs
force-pushed
the
build-ref-digest-perf
branch
from
1f0ca1b
to
13a45d2
Compare
carolynvs
changed the title
At build time, Porter needs the repository digest of each referenced bundle from porter.yaml. We update the referenced images in the final porter.yaml generated to .cnab/app/porter.yaml with the digest, so that the bundle is "pinned" to a specific image that can't be messed up by a force push over an existing tag for example. I have updated how we do this so that instead of pulling the entire referenced image, we just call HEAD on the image to get its repository digest. Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
When porter builds a bundle, we lookup the repository digest of any referenced images. Previously we did that with Pull, which always allowed connections to insecure registries. Now that we are executing a HEAD request instead to get the digest, instead of pulling the image with PullImage, we can be more explicit like we are with the publish commnad. I have added --insecure-registry to porter build, so that the bundle author can decide when building if they want to allow connections to an insecure registry (http or self-signed certificates). Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
carolynvs
force-pushed
the
build-ref-digest-perf
branch
from
0d556e4
to
74e196e
Compare
sgettys
approved these changes
Apr 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change
At build time, Porter needs the repository digest of each referenced image from porter.yaml. We update the referenced images in the final porter.yaml generated to .cnab/app/porter.yaml with the digest, so that the bundle is "pinned" to a specific image that can't be messed up by a force push over an existing tag for example.
I have updated how we do this so that instead of pulling the entire referenced image, we just call HEAD on the image to get its repository digest.
Previously when we pulled images during build, we always allowed insecure registries (because the underlying implementation didn't support making that configurable). Now that we are executing a HEAD request instead to get the digest, instead of pulling the image with PullImage, we can be more explicit like we are with the publish command.
I have added --insecure-registry to porter build, so that the bundle author can decide when building if they want to allow connections to an insecure registry (http or self-signed certificates).
What issue does it fix
Closes #2576
Notes for the reviewer
N/A
Checklist
Reviewer Checklist